System and Method for Security Configuration

ABSTRACT

A system and method for accessing and identifying the security parameters of a device in an information handling system is disclosed. A device in a computer system may operate according to a defined security protocol, and multiple security protocols may exist across the devices of the system. In operation, a configuration capability is defined within the PCI Express communications protocol. This capability includes a capabilities data structure through which parameters concerning the security parameters of the device may be identified and passed to a processor.

TECHNICAL FIELD

The present disclosure relates generally to computer systems and information handling systems, and, more particularly, to a system and method for identifying the security configuration of security-enabled elements of a computer system.

BACKGROUND

As the value and use of information continues to increase, individuals and businesses seek additional ways to process and store information. One option available to these users is an information handling system. An information handling system generally processes, compiles, stores, and/or communicates information or data for business, personal, or other purposes thereby allowing users to take advantage of the value of the information. Because technology and information handling needs and requirements vary between different users or applications, information handling systems may vary with respect to the type of information handled; the methods for handling the information; the methods for processing, storing or communicating the information; the amount of information processed, stored, or communicated; and the speed and efficiency with which the information is processed, stored, or communicated. The variations in information handling systems allow for information handling systems to be general or configured for a specific user or specific use such as financial transaction processing, airline reservations, enterprise data storage, or global communications. In addition, information handling systems may include or comprise a variety of hardware and software components that may be configured to process, store, and communicate information and may include one or more computer systems, data storage systems, and networking systems.

An information handling system may include a number of hardware components that are security-enabled. These security-enabled components may operate according to the Trusted Platform Module or some other security protocol that limits access to or modification of the hardware component to a user having password access. In addition, encryption is becoming more common in hardware devices, limiting the ability to read data from the device without the availability of the required cryptographic key. In a computer system, multiple devices may require the use of a cryptographic key, and those devices may operate according to multiple security platforms, without the ability of each device to report its security characteristics and without the ability to centrally provision and initialize the security aspects of the devices across the various security platforms.

SUMMARY

In accordance with the present disclosure, a system and method for accessing and identifying the security parameters of a device in an information handling system is disclosed. A device in a computer system may operate according to a defined security protocol, and multiple security protocols may exist across the devices of the system. In operation, a configuration capability is defined within the PCI Express communications protocol. This capability includes a capabilities data structure through which parameters concerning the security parameters of the device may be identified and passed to a processor.

The system and method disclosed herein is technically advantageous because it uses an existing communications protocol to provide information concerning the various security protocols that exist on the devices of the network. The system and method described herein operates within the standards of and without a modification to the existing communications protocol. The system and method disclosed herein is also technically advantageous because it provides a technique for the computer system to manage the devices of the computer system and the security features of those devices across multiple, different security protocols, thereby providing the processor of the computer system with greater control over the security features of the computer system across different security domains. Other technical advantages will be apparent to those of ordinary skill in the art in view of the following specification, claims, and drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

A more complete understanding of the present embodiments and advantages thereof may be acquired by referring to the following description taken in conjunction with the accompanying drawings, in which like reference numbers indicate like features, and wherein:

FIG. 1 is a diagram of the architecture of an information handling system; and

FIG. 2 is a diagram of a configuration space header; and

FIG. 3 is a diagram of a PCIe capability data structure.

DETAILED DESCRIPTION

For purposes of this disclosure, an information handling system may include any instrumentality or aggregate of instrumentalities operable to compute, classify, process, transmit, receive, retrieve, originate, switch, store, display, manifest, detect, record, reproduce, handle, or utilize any form of information, intelligence, or data for business, scientific, control, or other purposes. For example, an information handling system may be a personal computer, a network storage device, or any other suitable device and may vary in size, shape, performance, functionality, and price. The information handling system may include random access memory (RAM), one or more processing resources such as a central processing unit (CPU) or hardware or software control logic, ROM, and/or other types of nonvolatile memory. Additional components of the information handling system may include one or more disk drives, one or more network ports for communication with external devices as well as various input and output (I/O) devices, such as a keyboard, a mouse, and a video display. The information handling system may also include one or more buses operable to transmit communications between the various hardware components.

Shown in FIG. 1 is a diagram of the architecture of an information handling system, which is indicated generally at 10. The computer system 10 includes a CPU or processor 12 that is coupled to a memory bridge 16. Memory bridge 16 is coupled to a graphics processor 14, system memory 18, and an I/O bridge 22. I/O bridge 22 is coupled to one or more hard disk drives or other storage 20 and a plurality of PCI Express (PCIe) devices 24. PCIe devices 24 may operate according to a security protocol, such as the Trusted Platform Module (TPM), and may require authentication through a cryptographic password before the PCIe device may be used or accessed.

The PCI Express standard includes a configuration space, which allows for the development and establishment of PCI Express capabilities. Shown in FIG. 2 is a configuration space header 30. For each device, the Vendor ID 34 will identify the supplier of the device and the Device ID 32 will uniquely identify the device within the computer system. Configuration space header 30 includes a Capabilities Pointer 36, which is the configuration register address of the first capability associated with the PCIe device, Configuration space header 30 also includes a set of base address registers 38.

Each capability is defined by a data structure. An example of a PCIe capability structure 40 is shown in FIG. 3. At byte offset 00h, PCI Express Capability ID 42 is a unique ID associated with the capability. For the security reporting capability of the present disclosure, there will be a predefined capability identifier associated with the security reporting capability and this capability identifier will be shared with and used by other PCI devices. The PCIe capability structure 40 also includes a device capabilities entry 44 at offset 04h, which identifies the security capabilities of the device. The identification of security capabilities may include an identification of the security protocol being used by the device, a flag that identifies whether the device is password-enabled, an identification of the format of the password, the address of the password (if the password is saved locally to the computer system), an identification of whether the password is cryptographically wrapped, or the address or other identifier of the administrator of the security protocol for the device. The capability structures 40 of the computer system form a linked list, with each capability structure including a Next Capability Pointer entry 46 that points to the next capability structure in the computer system.

The base address registers 38 of configuration space header 30 can also be used to enable the host computer system to access the security layer of the security-enabled devices of the computer system. Configuration space header 30 can include as many as six base address registers 38. One more of these base register addresses is dedicated to the address associated with the security features of the device, thereby providing the processor of the system with the memory address of data associated with the security features of the device. Alternatively, the base address register for the security features of the device could be stored to the device capabilities entry 42 of the capability structure 40. The ability of the processor to identify the address of the security features of the device enables the processor to perform the steps necessary to enable or disable the I/O security layer of the device. In addition, because the processor is able to access the address of the security features of the device, the processor can associate or disassociate the security features of the device with the security features of the computer system, which may operate according to different security protocols.

Although this invention has been described herein in terms of the PCI Express communications protocol, it should be understood that the system and method described herein may be employed with other communications protocol in which security parameters may be accessed through a data structure of the communications protocol. Although the present disclosure has been described in detail, it should be understood that various changes, substitutions, and alterations can be made hereto without departing from the spirit and the scope of the invention as defined by the appended claims. 

1. An information handling system, comprising: a processor; one or more devices coupled directly or indirectly to the processors, wherein the devices are able to communicate with the processor according to a communications protocol; wherein the communications protocol includes, for each device, an identification of at least one security parameter of the device.
 2. The information handling system of claim 1, wherein the communications protocol is PCI Express.
 3. The information handling system of claim 2, wherein the security parameters of each device are stored in a header associated with the configuration space of the PCI Express communications protocol.
 4. The information handling system of claim 1, wherein the security parameter is the security protocol of the device.
 5. The information handling system of claim 1, wherein the security parameter is an identification of whether the device is password-enabled.
 6. The information handling system of claim 1, wherein the security parameter is the address of the security password for the device.
 7. The information handling system of claim 1, wherein the security parameter is the format of the security password for the device.
 8. The information handling system of claim 1, wherein the security parameter is an identification of whether the password is cryptographically wrapped.
 9. A method for providing a security parameter for a device, comprising: storing in a data structure associated with the device a security parameter that is associated with the security protocol of the device, wherein the data structure is associated with the communications protocol of the device; and accessing the device to retrieve the security parameter from the data structure of the device.
 10. The method for providing a security parameter for a device of claim 9, wherein the communications protocol is PCI Express.
 11. The method for providing a security parameter for a device of claim 9, wherein the security protocol is the Trusted Platform Module.
 12. The method for providing a security parameter for a device of claim 9, wherein the data structure is within the configuration space of the PCI Express communications protocol.
 13. The method for providing a security parameter for a device of claim 9, wherein the security parameter is within the base address registers of the capability structure of the PCI Express communications protocol.
 14. The method for providing a security parameter for a device of claim 9, wherein the security parameter is indicative of the security protocol associated with the device.
 15. The method for providing a security parameter for a device of claim 9, wherein the security parameter is indicative of the password associated with the device and the security protocol for the device.
 16. A computer system, comprising: a processor; a plurality of devices, wherein the processor is operable to access the devices and wherein the devices operate according the PCI Express communications protocol; wherein each device is associated with a data structure that is consistent with the PCI Express communications protocol and wherein the data structure identifies at least one security parameter associated with the device.
 17. The computer system of claim 16, wherein the data structure is within the configuration space of the PCI Express communications protocol.
 18. The computer system of claim 16, wherein the security parameter identifies the security protocol associated with the device.
 19. The computer system of claim 16, wherein the security parameter identifies whether the device is associated with a security password.
 20. The computer system of claim 16, wherein the security parameter identifies whether the password associated with the device is cryptographically wrapped. 